CHICAGO -- Kevin Schultz sleeps a little better at night because he has two brands of antivirus software running...
on the computer system he manages at Central Wyoming College.
The college's IT director has found that running antivirus software from different vendors simultaneously at different network entry points gives his users the level of virus protection they need. "If the first one misses a virus, then hopefully the second one will catch it," Schultz said recently at Security Decisions.
Central Wyoming is running McAfee's NetShield on its mail server, sandwiched between Sophos on servers and desktops. Management of both products can be a hassle, Schultz said. Sophos virus definitions are pushed out centrally. Management of NetShield is minimized, as only one server needs to be updated.
Schultz admits that he can't think of a time when one antivirus software missed a virus that was caught by the other. However, the added protection at the desktop has other benefits. For example, Central Wyoming allows students to use Web-based e-mail accounts, which circumvent gateway or server-based antivirus software.
"We have to let the students use something (for e-mail)," Schultz said. "We need to be a little flexible."
Schultz's double-barrel attack on viruses is not unusual. Increasing volumes and varieties of viruses and worms may push IT managers consider multiple products. The thinking behind it is easy: If brand A doesn't catch the latest malicious code, then perhaps brand B would.
Questions remain: Is the added protection worth the expense for licensing and maintenance of multiple products? Some end users have a hard enough time keeping one antivirus software updated, how will they fare with two?
Companies that want the security of multiple antivirus scans could also outsource their e-mail security to a managed service provider like MessageLabs. The e-mail security company scans e-mail with McAfee, F-Secure and VFind antivirus in addition to its own proprietary heuristics-based scanner. Even with these capabilities, the company can scan a 1M byte e-mail in 1.2 seconds.
MessageLabs grew out of a British ISP that wanted to provide customers with a value-added service, namely antivirus protection. "We found one antivirus scanner wasn't enough. Two worked pretty good. Three were decent," said John Harrington, MessageLabs' U.S. marketing director.
However, even three signature-based antivirus scanners wouldn't protect against a new virus that antivirus companies are unaware of. So MessageLabs came up with Skeptic, its own heuristics-based antivirus scanner. These scanners often are plagued by false positives, but MessageLabs claims it gets about one false positive in a million.
From a purely security standpoint, running multiple antivirus software packages has advantages, said Jeff Posluns, security expert and founder of SecuritySage Consulting. Using different products at file and mail servers and at the desktops adds better more layers of security.
Some security experts go further and suggest running more than one antivirus software on a single system, but Posluns warns against it. "In my experience, there are sometimes false positives when a scanner reads the signature files of the other product," he said.
Yet, for Pete Lindstrom, an analyst with Hurwitz Group, the question of using multiple signature-based antivirus products is a little misguided. Traditional antivirus software is limited as vendors need to know about a particular virus and then write a signature file based on it.
"Antivirus software is always one step away (from viruses). You don't want to be the sacrificial lamb," he said of getting a virus before a signature file is ready.
Lindstrom advocates a paradigm shift towards behavior-based antivirus protection or "application control solutions" that look at the effect of malicious code on a system. Such software can stop damage from malicious code when it tries to do inappropriate things to the system.